Warning and disclaimer:
***********************
This article is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this article or the information presented within it.

After researching for the last article I decided to try cracking a SAM file myself. JTR got the password I had created quite quickly (jut 4 chars long) but I know longer passwords could take a lot more time. After thinking and looking at a number of sites on the internet I have found two other ways to speed this process up: 1) Using a reconstructed list of possible cracked passwords with software like rainbow crack. And 2) Changing the SAM file. I am going to be discussing the second of these in this article, but of course it is easy for you to look up the first if needs be. The only problem with modifying the SAM file is that it won’t break encrypted documents.

------------------------------

What we are going to do:

Windows XP is not like some other more insecure OS’es such as windows 98, because it doesn’t store user passwords and information in separate files. Instead it stores them in what is called the SAM file. Because all the information is put together and some of it is encrypted, it is a lot harder to get out.

Instead of cracking a password , we are going to modify the password manually. To do this we will need software in the form of a boot disk to extract the SAM file, modify it, and write it back. We need special software to write to the disk as windows XP and NT use a filesystem called NTFS, which isn’t normally supported in DOS.

Step 1 – Getting the software:

NTFS4DOS – This is the boot disk software we will use. It is quite similar to a standard ms-dos bootdisk, except it can read/write to NTFS partitions (this is the hard disk format that windows XP uses). It can be obtained free of charge from http://www.datapol.de/dpe/freeware/index.html *

Chntpw - This is what we will actually use to change the password inside of the SAM file. I could not get the other NTFS driver things on the site to work with my setup, which is why we are using NTFS4DOS. It can be found on the site http://www.cgsecurity.org/ on the NTFS driver page.

Step 2 – Preparing the boot disk:

After you have run the NTFS4DOS installer, run the floppy creation wizard. It’s pretty simple – format the floppy disk, selecting the option to create an ms-dos boot disk, and then follow the wizard through, disable anything you don’t need so as to save space. After you have done this, download the ntfs drivers and tools from the cgsecurity website and copy the cwsdpmi.exe and chntpw.exe files to your boot floppy. They can be found in the ‘bin’ directory.

Step 3 – Booting up:

So, we have everything ready! Just put the disk in your computers drive, and start it up. It may take a few seconds to load. (In some computers booting from a floppy disk may be disabled, but it is beyond the scope of this article to discuss bypassing that here, but there are some links at the end that may help). You should get a screen telling you of the NTFS partitions on your hard disk (if it skips them, it means they aren’t ntfs and you only need normal DOS), and a notice asking if you are using this software for private purposes. You must type ‘y’ not ‘yes’ if you are for it to let you use the software.

If we were just cracking the password, this is where we would extract the sam file, and finish, taking it away for cracking later. If this is what you want then there are other tutorials on this. For those who want to risk screwing up their computer (you shouldn’t be using this on someone else’s without their permission), carry on!

Step 4 – Changing the SAM file:

This is actually a lot simpler than it may sound. You need to know where the SAM file is of course. On windows XP home it is in the path ‘c:windowssystem32config’

First, back up the current SAM file. YOU MUST DO THIS as the chntpw utility is known to screw up a lot:
A:>copy c:windowssystem32conifgSAM c:SAM.old
Then just run chntpw in interactive mode:
A:>chntpw –i c:windowssystem32configsam
Just go through the options, it’s pretty simple really. Chntpw lists all the user names, then you select one and enter a new password. You may like to check it has worked using a tool like John the Ripper.

Step 5 – Getting the old SAM back:

It is pretty likely that chntpw may screw up once or twice, in which case your only option is to try again. Of course, sometime you might want to restore the old password file, you can do this by simply booting up with the disk, and (considering you followed the above exactly) typing:
Copy c:sam.old c:windowssystem32configSAM

Bhullarz

18Apr2007 00:23

Re: Cracking the SAM.

step 4 is not working.Not able to copy the SAM file as the msg is shown it is being used by another process-cannot access the file. Now how to do it ?

haider_abbas_simple

4Jul2007 13:48

Re: Cracking the SAM.

you must first reboot the computer and boot it with the help of some boot disk. dont let xp boot because it just reserves this file to be used by it.

munkyeetr

5Jul2007 06:31

Re: Cracking the SAM.

Do I want to "write hive files?"

The default is no, but I would like to be sure.

munkyeetr

5Jul2007 06:32

Re: Cracking the SAM.

Never mind.

munkyeetr

5Jul2007 06:54

Re: Cracking the SAM.

Has anyone had luck with this? I tried about 6 times and it failed to login with the new passwords.

Bhullarz

8Jul2007 06:48

Re: Cracking the SAM.

Even after rebooting , file can not be copied as the msg is file is still in use.Give some good trick/idea which is working.

shabbir

8Jul2007 10:20

Re: Cracking the SAM.

It seems to be working for me at least. I have tried on the test PC.

munkyeetr

8Jul2007 10:46

Re: Cracking the SAM.

I had no problem coping the backup SAM file, running chntpw.exe, and saving the changes, but when I reboot, I couldn't log in using the new password.